zeek September 2021

zeek@lists.zeek.org

10 participants
10 discussions

by Andy Millett

Hi guys, I wonder if anyone can offer any advice in relation to an issue we have using Zeek (LTS 4.0.3), and a Myricom 10G-PCIE2-8C2-2S. The Myricom card is currently on a SPAN port from a Juniper QFX, albeit we’re planning to move to a Profitap fibre TAP soon. We’ve compiled Zeek using sources in order to accommodate the snf driver (e.g ./configure --with-pcap=/opt/snf/), and it works well using the following node.cfg configuration - [worker-1] type=worker host=localhost #pin_cpus=1,3,5,7 interface=snf0 lb_method=myricom lb_procs=8 Our issue, is that when we try to filter traffic, either using ZeekArgs, or redef PacketFilter::default_capture_filter, workers crash within a few minutes of starting the process. We’re trying to use a simple capture filter like - ZeekArgs = -f "not dst host 10.100.48.5 and not dst host 10.100.40.78” Or redef PacketFilter::default_capture_filter = "not host 10.100.48.5"; The output of the crash diag is attached, but in short, we experience - Program terminated with signal SIGSEGV, Segmentation fault. #0 zeek::packet_analysis::Ethernet::EthernetAnalyzer::AnalyzePacket (this=0x5560e04be680, len=808, data=0x41d853675b0719a8 <error: Cannot access memory at address 0x41d853675b0719a8>, packet=0x5560e171b9c8) at /root/zeek-4.0.3/src/packet_analysis/protocol/ethernet/Ethernet.cc:33 33 if ( data[12] == 0x89 && data[13] == 0x03 ) [Current thread is 1 (Thread 0x7f90ea7172c0 (LWP 4830))] If we remove the BPF or capture filter, the processes stay online consistently. Any advise on how to diagnose this would be greatly appreciated. Best regards Andy

4 weeks, 1 day

Zeek bugfix/security releases: v4.0.4 and v4.1.1

by Tim Wojtulewicz

Downloads for Zeek 4.0.4 and Zeek 4.1.1 are available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.4.tar.gz https://download.zeek.org/zeek-4.1.1.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.0.4 https://github.com/zeek/zeek/releases/tag/v4.1.1 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

1 month

redef'ing a variable as a command line parameter

by Troy Wojewoda

I haven't redef'd a variable from the command line since Bro 2.5, now running Zeek 4.2.0-dev.78 and I'm getting the following error: *error in <params>, line 1: syntax error, at or near "redef" or end of file ./test.zeek* Example is super simple for trying to understand what I'm doing wrong - test.zeek: *const s1 = "world" &redef;* *print fmt("hello %s", s1);* On the command line: > zeek ./test.zeek s1="zeek" * error in <params>, line 1: syntax error, at or near "redef" or end of file ./test.zeek* If I modify the script as follows it works fine: *const s1 = "world" &redef;redef s1="zeek";* *print fmt("hello %s", s1);* > zeek ./test.zeek hello zeek What am I missing?? ~Troy

1 month, 1 week

New Brim & Zed releases

by Phil Rzewski

Greetings, Zeek community! It's been a while, but new GA releases of the Brim desktop app (v0.25.0 <https://github.com/brimdata/brim/releases/tag/v0.25.0>) and Zed backend/CLI tooling (v0.30.0 <https://github.com/brimdata/zed/releases/tag/v0.30.0>) have finally arrived! Since this is our first release since February, there's too many changes to cover in a brief email. There's full details in release notes at the links above. A few highlights: The storage used by Brim to hold your Zeek/Suricata/other logs is now a "Zed lake". Though the introduction of Zed lakes causes no immediate change to your favorite Brim workflows, they unlock powerful new functionality that will be revealed in Brim going forward, including Git-like branching. See the Zed lake README <https://github.com/brimdata/zed/blob/main/docs/lake/README.md> for details. Enhancements have been made to the Zed language to unify search and expression syntax, introduce new operators and functions for data exploration and shaping, and more! Review the Zed language docs <https://github.com/brimdata/zed/blob/main/docs/language/README.md> for details. pcap processing is now handled by a separate, new component called Brimcap. Your favorite pcap workflows in Brim have not changed, but Brimcap also opens up new flexible custom configurations and can be used as a standalone tool. For more info, check out the Brimcap README <https://github.com/brimdata/brimcap/blob/main/README.md> and wiki <https://github.com/brimdata/brimcap/wiki>. Other links of general interest: Download page <https://www.brimsecurity.com/download/> for the Brim application Brim's YouTube channel <https://www.youtube.com/channel/UC0ju7Esmh13oLS8FTS-B3Eg>, which includes app demos and info for developers (admittedly getting a bit dated) Join our public Slack workspace <https://www.brimsecurity.com/join-slack/> for announcements, Q&A, feedback, and to trade ideas Have fun! -- Phil & the Brim team

1 month, 1 week

vZeekWeek Schedule Announced - Register today!

by Amber Graner

Hi all, We just announced the schedule for vZeekWeek 2021 - 13-15 Oct 2021. *Link to the announcemen*t - https://zeek.org/2021/09/14/vzeekweek-2021-schedule-announced-register-toda… *Registration Link* - https://www.eventbrite.com/e/vzeekweek-2021-tickets-169366494745 *More information* can be found at zeekweek.org <https://zeek.org/zeekweek2021/> Hope to see you all online in October. Please let me know if you have any questions. Thanks, ~Amber

1 month, 1 week

Zeek - single huge pcap

by aziel.sartaj

Hi folks, I am currently struggling how to analyse single big (500MB-1GB+) pcap file with zeek in a short time. I am using standalone mode of zeek and with this command: zeek -Cr sample_500MB.pcap local it took about 1.40min which is a bit too long for my needs... What do you advise, how can I get zeek -r multithreadded behaviour like? Documentation says, use cluster with several workers (even on one node) but I am not sure if you can read pcap in cluster mode? Another option is tcpreplay and let workers generate logs in cluster mode? So what do you guys advise, I am doing only offline pcap analysis with single 500+MB pcap and zeek should use ideally 4-6 cores instead of one. Thank you.

1 month, 2 weeks

Kafka Plugin with Zeek

by Jahan Wadia

Hi Folks, I am currently using the Apache Kafka plugin to send logs to the Kafka server. The current setup is designed to use the plugin to send each zeek log(5 log streams) to a specific kafka topic as described here <https://github.com/apache/metron-bro-plugin-kafka#example-4---send-each-zee…> . But the requirement now is to: 1 - Continuing to send the existing zeek logs to their specific topics as described above. 2 - Send all the other *selected* log streams to just one topic name on kafka cluster. I have tried to set this up but it does not seem to work. Is this possible to do? Appreciate your help! Thanks, Jahan

1 month, 2 weeks

Upcoming Zeek Events - 15 Sep 2021

by Amber Graner

Hi all, Wednesday 15 Sep, 2021 is going to be a busy, yet fun day. We have a virtual meetup AND we'll be recording another Zeek Webinar. Details below on how you can participate in each of these events. - 15 September 2021 – VIRTUAL ZEEK MEETUP – 10am – 11:30am Pacific/12pm – 1:30pm Eastern – GUEST SPEAKER – *Richard Bejtlich, * https://www.taosecurity.com/, will be our speaker at this event. He’ll be speaking about, “How to monitor your wireless network?” Register to attend this meetup at: https://www.meetup.com/greater-boston-area-open-source-zeek-meetup-group/ev… - 15 September 2021 – ZEEK WEBINAR SERIES: How Zeek and Suricata work together: Complementary not Competitive! – 11am Pacific/2pm Eastern – On the Zeek Slack workspace and other areas in the Zeek Community, we are often asked, “Should I use Zeek or Suricata to monitor my network?” In this webinar, *Alex Kirk* discusses how Zeek and Suricata can be used together and how they are complementary not competitive tools. This webinar is free, but registration is required. Register at: https://event.webinarjam.com/register/29/vlq6ytvm Please let me know if you have any questions. Thanks, ~Amber

1 month, 2 weeks

Reformatting the source code with clang-format

by Tim Wojtulewicz

I recently opened a pull request at https://github.com/zeek/zeek/pull/1717 <https://github.com/zeek/zeek/pull/1717> to reformat the entire Zeek code base using clang-format. Clang-format 12.0.1 (and 13) recently gained more support for the Whitesmiths formatting style that Zeek uses. Reformatting against some sort of standard has been on the Zeek roadmap for a while. This email is to notify everyone that we’re going to merge this PR in the next week or so. It shouldn’t cause any breakage to plugins built out-of-tree, but will likely cause breakage for people that have forks of Zeek or are working on long-lived branches. If there’s any concerns with us merging this, please comment on the PR so we can resolve those concerns. Thanks! Tim

1 month, 2 weeks

REMINDER - Zeek Monthly Community Call - 1pm ET Today 1 SEP 2021

by Amber Graner

HI all, Just a quick reminder that the monthly Zeek Community call will start in about 30 mins at 1pm ET. The meeting will be 30 mins or less and cover the following: - Zeek LT Update - Zeek Technical Update - Zeek Subgroup Updates - ZeekWeek 2021 Register to attend at: https://zoom.us/meeting/register/tJ0lf-usqzwpGdXz35YcBhYtJOEjvSZcgl6W Thanks, ~Amber

1 month, 3 weeks

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek September 2021